Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market. It applies to both hardware and software and covers cybersecurity responsibilities across the product lifecycle, from design and development through vulnerability handling, security updates, technical documentation, and incident reporting.

The Cyber Resilience Act becomes fully applicable on 11 December 2027, after which products with digital elements must comply with the CRA cybersecurity requirements before they can be placed on the EU market.

Under the CRA, cybersecurity compliance becomes part of the CE marking framework for in-scope products sold into the European Union.

The CRA is important because it moves cybersecurity from a recommended practice to a regulatory requirement for a broad range of connected and software-enabled products entering the EU market.

For manufacturers, that means cybersecurity must be addressed much earlier and much more systematically. It is no longer enough to respond to risks after launch. Companies must be able to show that cybersecurity has been considered during product design, embedded into development processes, documented appropriately, and maintained throughout the support period.

The CRA also introduces ongoing obligations tied to vulnerability handling and incident reporting, which makes this a lifecycle issue rather than a one-time approval exercise.

The CRA entered into force on 10 December 2024. However, the obligations apply in phases.

• From 11 September 2026, manufacturers must begin reporting actively exploited vulnerabilities and severe incidents.
• From 11 December 2027, the CRA becomes fully applicable. All in-scope products must comply with the cybersecurity requirements before they can be placed on the EU market.

Note that the September 2026 reporting obligations apply to covered products that are still within their support period, including legacy products already on the EU market.

The CRA applies to any manufacturer placing products with digital elements on the EU market, regardless of where that manufacturer is located. Non-EU manufacturers must still ensure compliance, and they may appoint an EU authorized representative.

Importers and distributors operating in the EU also have obligations under the regulation. For global manufacturers, this means CRA readiness is not just a European issue. It is a product access issue for any company selling into the EU.

Medical, automotive, and aviation equipment may be exempt due to separate requirements within those product categories.

The CRA applies to products with digital elements, meaning hardware or software products whose intended or reasonably foreseeable use involves a direct or indirect logical or physical data connection to another device or network.

It includes connected hardware devices, software products, embedded software or firmware, products connected to cloud or remote services required for the product to function, and both industrial and consumer connected products. Examples include:

If your products include software, firmware, connectivity, or rely on cloud or remote services to function, the CRA likely deserves serious attention. The regulation is intentionally broad and is not limited to a single vertical market.

Some people have likened the Cyber Resilience Act to the cybersecurity requirements of the Radio Equipment Directive (RED). However, a significant departure is that unlike the RED, the CRA is not limited to radio equipment. It applies more broadly to products that connect directly or indirectly to another device or network.

The Cyber Resilience Act (CRA) organizes products into risk-based categories that determine how they are assessed for compliance.

Most products fall into the Default (General) category, which typically allows manufacturers to follow a self-assessment route. Beyond this, the CRA defines higher-risk groupings based on the potential impact of a cybersecurity failure.

Important Class I products include widely used digital tools such as operating systems, browsers, routers, password managers, and smart home security devices. These products play a significant role in everyday digital environments but generally follow streamlined conformity paths when aligned with harmonized standards.

Important Class II products represent higher-risk infrastructure components, including firewalls, intrusion detection systems, and hypervisors. Because of their critical role in protecting systems and networks, these products require third-party conformity assessment by a Notified Body.

At the highest level, Critical Products include technologies that are foundational to security and trust, such as hardware security modules, smartcards, and secure elements. These products are expected to undergo a European cybersecurity certification scheme where available. If such a scheme is not in place, assessment through a Notified Body is required.

Understanding where a product fits within this structure is an important early step, as it directly impacts the compliance pathway, documentation requirements, and time to market.

Manufacturers must ensure products are secure by design and by default, developed using secure development practices, delivered with known vulnerabilities addressed, protected against unauthorized access, designed to minimize attack surfaces, and supported with security updates.

They must also perform a cybersecurity risk assessment, maintain a Software Bill of Materials, implement vulnerability handling processes, prepare technical documentation, and report actively exploited vulnerabilities and severe incidents within defined timelines. The source documents are clear that these are ongoing lifecycle obligations, not just pre-market tasks.

Under the Cyber Resilience Act, manufacturers are required to prepare and maintain comprehensive technical documentation that demonstrates compliance with the regulation. At a minimum, this documentation should include a clear product description, along with architecture and design information that explains how the product functions and how cybersecurity is addressed. A documented cybersecurity risk assessment is essential, supported by a Software Bill of Materials (SBOM) that identifies relevant components and dependencies.

Manufacturers must also define and document their security update policy, vulnerability handling process, and incident reporting procedures. In addition, technical evidence is required to show alignment with the essential cybersecurity requirements outlined in Annex I, along with any applicable test reports or conformity assessment results.

User-facing documentation must also be addressed, including guidance on secure configuration, details on the product’s support period, and information on how updates will be delivered.

This documentation is not static. It must be actively maintained and updated throughout the product lifecycle as changes are made, vulnerabilities are identified, and security updates are deployed.

It’s always recommended to start preparation well before the full application date. Practical first steps include determining product classification, conducting a CRA gap analysis, performing cybersecurity risk assessments, implementing secure development lifecycle processes, building or maturing vulnerability handling and incident reporting processes, preparing technical documentation, and planning for the correct conformity assessment route and CE marking obligations.

Because reporting duties begin in September 2026, preparation should not be deferred until 2027.

Manufacturers must take a structured approach to CRA compliance. Intertek supports each step.

1. Product classification
   Assess whether your product falls under Default, Important Class I/II, or Critical categories, and confirm the appropriate conformity assessment route.
2. CRA gap assessment
   Evaluate your current processes, product security posture, and documentation against CRA requirements to identify gaps and define a clear remediation roadmap.
3. Cybersecurity risk assessment (support and review)
   Support the development of your cybersecurity risk assessment and review it for alignment with CRA essential requirements and lifecycle expectations.
4. Security testing and validation
   Test products against applicable standards and CRA requirements, including vulnerability assessments and penetration testing.
5. Technical documentation (review and support)
   Review technical documentation for completeness and compliance with CRA requirements, and support its development, including SBOM, risk assessment outputs, and lifecycle processes.
6. Conformity assessment and CE marking support
   Support self-assessment or Notified Body pathways, depending on product classification, and help ensure full compliance with the Act.

Intertek supports manufacturers throughout the Cyber Resilience Act compliance journey, from initial product classification and gap assessment through security testing, technical documentation, and conformity assessment support. Our broader cybersecurity capabilities also include work related to IEC 62443, EN 18031, ETSI EN 303 645, IEC 81001-5-1, vulnerability assessments, penetration testing, secure architecture reviews, threat modeling, Common Criteria, FIPS 140-3-related cryptographic module evaluation, AI red teaming, and ransomware resilience.

This experience (and world-class level of expertise) can help manufacturers address Cyber Resilience Act (CRA) obligations while also aligning cybersecurity programs across other standards and market requirements.